Restricted users can able to browse secure sites at restricted time

We have configured squid proxy server 2.6 STABLE in Fedora 6 box. We have given full time net access for particular users only. Remaining users will access the net at particular time only. But for skype access we have given access for all users. This is our code for skype access.

 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 563 # https, snews
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Unreg_ports port 1025-65535 # unregistered ports

 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http

 acl udpproto proto UDP

 http_access allow udpproto Safe_ports

For all users skype is working fine. The limited (limited net access users) time users can able access some secure sites like gmail,hotmail & many banking sites. I want to allow only skype access not secure websites for limited users at restricted time.
rajasekarramasamyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael WorshamStaff Infrastructure ArchitectCommented:
Perhaps this thread can shed some light...

Multiple ACL time restrictions
http://www.squid-cache.org/mail-archive/squid-users/200105/0870.html
0
rajasekarramasamyAuthor Commented:
Hi mwecomputers,

I dont need solution for ACL Time restriction.

FYI

In our setup we have enabled skype access for the user having limited (Time restriction) net access.

For skype access via squid we need to allow https port 443 to connect skype via squid. If we enable this secure port the restricted users (Time restricted) can able to access secure sites during restricted time.

0
Michael WorshamStaff Infrastructure ArchitectCommented:
I don't know if squid can accomplish what you are asking for... however...

An easy solution would be setting up an Untangle application server between your router and your internal network in transparent bridge mode. The Untangle appliance has a Web Content Control module that filters user access to specific Internet websites including setting time and user based policies (e.g. allow gmail access during lunch and outside business hours). The Web Content Control also enables you to choose among these categories to define web content control policies in your workplace. It can use custom URL blocklists for hosts, domains, and file types to block/filter additional content.

Untangle Site:
http://www.untangle.com/

Untangle Product Overview:
http://www.untangle.com/index.php?option=com_content&task=view&id=86&Itemid=179

Untangle Demo/Video Overview
http://www.untangle.com/video_overview/
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

rajasekarramasamyAuthor Commented:
I need a solution in squid only.
0
dennisonzCommented:

have you tried:

acl https_sites dst_domain "/etc/squid/https_sites"
http_access deny https_sites

the "/etc/squid/https_sites" contains:
.gmail
.hotmail.
."banking sites"



0
rajasekarramasamyAuthor Commented:
I tried with the your settings the users can able to browse. The problem is for skype i enable 443 (https) ports for all users (full time net users & limited net time users). The limited net time users can able to browse https (able to bowse only https sites) sites at restricted-browsing hours. This the problem i am facing. skype using only 443 ports to connect. is there any way to connect skype via squid without using 443 (https) port.

This is my config for skype connection in squid.

 acl Safe_ports port 443
 acl udpproto proto UDP
 http_access allow udpproto Safe_ports


Any solution?. It very urgent.
0
dennisonzCommented:

With the settings in my previous post, it would also block:

http://www.gmail.com
https://www.gmail.com

This is my settings in Squid and its working fine. Place this one after your config for skype connection.
0
dennisonzCommented:

Haven't tried this yet but its worth to try, to try to have skype use a different Port no instead of 443. Then remove 443 in your Safe_ports

Like for example:
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 444 # skype
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Unreg_ports port 1025-65535 # unregistered ports

 acl Safe_ports port 444
 acl udpproto proto UDP
 http_access allow udpproto Safe_ports

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.